The scam should now be resolved, good job on the speedy resolution Google!
We have taken action to protect users against an email impersonating Google Docs & have disabled offending accounts. We’ve removed the fake pages, pushed updates through Safe Browsing, and our abuse team is working to prevent this kind of spoofing from happening again. We encourage users to report phishing emails in Gmail. (source)
I received a phishing email today, and very nearly fell for it. I’ll go through the steps here:
- I received an email that a Google Doc had been shared with me. Looked reasonably legit, and I recognized the sender.
- The button’s URL was somewhat suspicious, but still reasonably Google based.
- I then got taken to a real Google account selection screen. It already knew about my 4 accounts, so it’s really signing me into Google.
- Upon selecting an account, no password was needed, I just needed to allow “Google Docs” to access my account.
- If I click “Google Docs”, it shows me it’s actually published by a random gmail account, so that user would receive full access to my emails (and could presumably therefore perform password resets etc).
- Shortly afterwards I received a followup real email from my contact, informing me: “Delete this is a spam email that spreads to your contacts.”
To summarise, this spam email:
- Uses the existing Google login system
- Uses the name “Google Docs”
- Is only detectable as fake if you happen to click “Google Docs” whilst granting permission
- Replicates itself by sending itself to all your contacts
- Bypasses any 2 factor authentication / login alerts
- Will send scam emails to everyone you have ever emailed
Google are investigating this as we speak.
How do I know if I’ve been affected?
If you clicked “Allow”, you’ve been hit. If you didn’t click the link, closed the tab first, or pressed deny, you’re okay! The app may have removed itself from your account, and may have deleted the sent emails.
What do I do if I’ve been affected?
- Revoke access to “Google Docs” immediately. It may now have a name ending in
apps.googleusercontent.comsince Google removed it. The real one doesn’t need access.
- Try and see if your account has sent any spam emails, and send a followup email linking to this post / with your own advice if so.
- Inform whoever sent you the email about the spam emails, and that their account is compromised.
What are the effects?
All emails have been accessed, and the spam forwarded to all of your contacts. This means they could have all been extracted for reading later. Additionally, password reset emails could have been sent for other services using the infected email address.
This may be the payload, so it may just self replicate, and not do anything nastier. This is not at all confirmed, however, so assume the worst until an official Google statement.
I’m a G Suite sysadmin, what do I do?
The following steps by/u/banden may help, but I can’t verify they’ll prevent it.
Block messages containing the firstname.lastname@example.org address from inbound and outbound mail gateway/spamav service.
Locate Accounts in Google Admin console and revoke access to Google Doc app. It may now have a name ending in
apps.googleusercontent.comsince Google removed it.